Vol. 43, No. 6

A duty of tech competence for bar associations? Advances in internal cybersecurity

by Dan Kittay

Spurred on by rules requiring greater expertise in lawyers’ use of technology, bar associations spend an increasing amount of time educating their members about cybersecurity best practices. But what do bars themselves do to protect their own email, member data, and other confidential information? After all, most are small- or medium-sized organizations that are subject to attack just like other businesses.

“We take a shotgun approach, in that we try to cover all our bases,” says Jason Cecil, chief technology officer at The Missouri Bar. “In the old days, you used to focus on your perimeter. These days, you’re focusing everywhere: outside your perimeter and inside it.

“The only real way to do that is through an overall security strategy. It’s something that has to be documented, where you map out all the areas that you have to protect.”

Cecil cited measures such as stronger firewall hardware and software, greater protection against malware, and email encryption as some of the ways his bar has upped its security game. He also noted a key element that other IT professionals interviewed for this article put at or near the top of the list: making sure bar staff knows how to handle phishing and other attacks directed at them, mostly through email.

Beware phishing attempts

For Cecil, the key to reducing the risk of successful attacks is educating staff about what to do and not do when emails arrive that they weren’t expecting. He stresses the importance of not clicking on links or opening attachments, unless the staff member was expecting the email, or has independently verified the email with the sender.

“You’re also keeping a close eye on your employees, not because you don’t trust them, but because they are likely your weakest link in allowing something through to your network,” Cecil says. “What concerns me most right now is phishing. If something were to happen with us, my guess is it would be through phishing, or some sort of malicious attack through email or link.”

Phishing is the practice where someone sends emails falsely claiming to be from an organization or person, in order to get the recipient to click a link or open an attachment and unknowingly reveal confidential information or install malware on their device. In 2016, several bar associations were victims of a phishing scheme, when their members received bogus emails purporting to be from the bar and claiming that the member was the subject of a disciplinary complaint, and needed to click a link to read the complaint.

Fighting scam emails takes a “multipronged strategy,” Cecil says. His bar uses software and hardware to try to filter out scam emails before they have a chance to reach employees. The software is constantly updated to include the latest threats.

Learning from others’ experiences

For Greg Wacker, IT director at the Kansas City (Mo.) Metropolitan Bar Association, one of the more effective tools in teaching staff members is to tell the story of what happened to a former KCMBA employee several years ago, before the bar had strong protections in place.

“She clicked on a link in an email, and ended up sending out 1,000 emails from her inbox to other people, with malware,” Wacker recalls. “When I tell that, people think, ‘Wow, this could actually embarrass me and make me feel awful if I do something like that.’ That puts a little bit of caution into people.”

In a potentially more costly incident, someone sent an email to an employee in the payroll department of the State Bar of Arizona purporting to be a senior staff executive, says Lori Maxwell, the bar’s chief information officer. Because staff email addresses were listed on the bar's website, the sender was able to list the address in the return part of the email.

The “executive” told the payroll employee that she wasn’t in the office and didn’t have access to her regular bank account, so she wanted the employee to deposit her check into a different account. The two exchanged several emails, and the employee made a change in the bar’s payroll system to direct the check to the different account.

The actual executive got an email alert saying that she had made changes to her payroll account, and called the payroll employee. Eventually, the truth emerged, and no money was sent to the bogus account, Maxwell says.

“We caught it because they picked up the phone and talked to each other,” she notes. In a safety move that others might want to consider, too, Maxwell adds, the bar has since removed email addresses from its website and installed a contact form that people can fill in and send to the bar without knowing the email address.

Could you pass the test?

As part of educating staff about safe email practices, Wacker, Cecil and others also contract with companies such as Cofense and KnowBe4 to send test phishing scams to employees and report on whether anyone opened them and clicked on any links or attachments.

The key to designing a fake phishing email is to make it appear as something the recipient would normally receive and act on, says Tonia Dudley, security solutions advisor at Cofense. The company keeps on top of the latest trends in phishing attacks, she says, and uses them as the basis for their own simulated ones.

“Over the past six months, we’ve seen an increase in subject lines that are around paying an invoice, a purchase order, or a pricing inquiry,” Dudley says. “Most organizations have gateways that block a lot of spammy-looking emails, so we try to stay focused on the kinds of things they normally see in their inbox.”

Test phishing emails have occasionally resulted in employees clicking on links, says Joe Kaczrowski, senior director of technology at the Minnesota State Bar Association, Hennepin County Bar Association, and Ramsey County Bar Association. Telling the staff about the clicks helps to reinforce what might be contained in real attempts.

“As they see it more, they become more familiar with it,” Kaczrowski says. “As these have come out, we’ve been able to use them as examples of what to look for.”

Encrypting sensitive information

Sending confidential information by unencrypted email is another area of concern. A growing number of bars have begun sending encrypted emails when transferring sensitive information. Cecil says his bar has enabled encrypted mail for some of its employees, and encourages them to use it when needed.

Some bars have been working with vendors that offer secure email products, both to the bar itself and to its members at a discounted rate. One such vendor that works with several bar associations, Identillect, has been seeing an increased focus on “end-to-end encryption” to help ensure that private data cannot be intercepted anywhere in the email transit process.

As rules for their members requiring greater attention to data privacy increase, bars are saying, “‘We need to walk the walk, if we're setting a standard for our members,’” believes Todd Sexton, chief executive officer at Identillect.

As encryption technology has advanced, it has become relatively simple for bars to send encrypted email, and—just as important—for those who receive it to easily decrypt it, Sexton says. In many cases, the recipient has “one extra click” to read the email.

People: the greatest defense, and vulnerability

A common thread among all those interviewed is that while the technology to defend against attacks has gotten more sophisticated, so has the effort to breach the defenses. The one area that will always be vulnerable, and therefore needs the most attention, is the human factor: the moment when the person reading the email has to decide what to do about it.

“Our employees are our first line of defense,” Maxwell says. “My big thing is to educate, educate, educate the staff not to click on links or give away their passwords or ID.”